Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
0
Replies

VLAN isolation on 6500

tachyon05
Level 1
Level 1

‎05-17-2021 02:19 PM

I have a pair of Cisco 6500 running in VSS. There are many SVIs configured and they can all talk with each other without any restriction. I have a need to restrict 1 VLAN from being able to talk with other VLANs and vice versa, while still allow some basic communication like DHCP. Not sure what other options are available to accomplish this, I created and applied an ACL to the SVI.

IP access-list test
Permit IP 172.16.1.0 0.0.0.255 172.16.1.0 0.0.0.255                  !== all intra VLAN traffic should be allowed [not really needed]
Permit udp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 67 68    !== allow DHCP traffic
permit udp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq domain  !== allow access to DNS
Deny IP any any all                                                                       !== block everything else

 

Interface VLAN 161
IP address 172.16.1.0 255.255.255.0
IP access-group test in

 

However, it doesn’t seem to work as I am still able to ping from DHCP or DNS servers (with IP in the range of 10.1.1.0/24) and get replies from any device on this VLAN (172.16.1.0/24). Any suggestions?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents